在注射有可能通过动态LINQ？ [英] Is Injection Possible through Dynamic LINQ?

问题描述

使用动态LINQ库（<一个href=\"http://weblogs.asp.net/scottgu/archive/2008/01/07/dynamic-linq-part-1-using-the-linq-dynamic-query-library.aspx\">link),它是脆弱的注射以及（如果有的话），这可怎么对保护？

考虑的一些背景知识（实体框架）：

  

LINQ到实体注入攻击：

  
  

尽管查询组合物在LINQ能够实体，它是
  通过对象模型的API进行。不像实体SQL查询，
  LINQ to Entities查询不被利用字符串操作组成
  或串联，它们不容易受到传统的SQL
  注入攻击。

由于动态SQL是使用字符串是否意味着它可能是容易注射载体组成的？或将LINQ to SQL的自动采取基于动态LINQ库中的基本数据类型参数化你的价值观的照顾？

或者是完全安全的，因为动态查询会在内存中，而不是针对SQL（从而消除来自SQL索引任何好处）？

执行

我一直在努力通过理解 DynamicLibrary.cs code，但我敢肯定，我可以很容易忽视的东西。

由于这个问题是关于动态LINQ库本身，这个问题可以被认为是适用于 LINQ到SQL 和 linq-对实体（尽管上面提到实体框架）。

解决方案

好吧，我不同意，注射是不可能的动态Linq的。

什么在通过的 C6％％89iamond-％C7％A4eeze％C6％A6>ƉiamondǤeezeƦ是正确的，但appies标准的LINQ为给定的语言中构造 - C＃或VB.Net或致电像<$ C $扩展方法C>。凡与lambda函数。

然后，真的，这是不可能的事情注入作为.NET的LINQ到SQL翻译的，当然，体面写的。
因此，SQL注入是不可能的，这是事实。

然而，什么是可能的动态的LINQ是Linq的注入攻击。在由OP援引解释LINQ的安全性，更说明：

  

LINQ to Entities查询不被使用字符串操作或串联组成，他们是不容易受到传统的SQL注入攻击。

和基本上这是一个依据。如果查询通过字符串操作由然后很容易出现注入式攻击。和动态的LINQ实际上是从字符串组成，因此它可能容易受到注入攻击。

显然，攻击者必须知道的事实是，你正在使用DynamicLinq，可能只攻击preparing数据，以便它导致有效的恶意动态Linq查询。

我要强调这个事实 - 最后的 SQL 由安全，但无论是原来的动态的LINQ 是安全的取决于您。

让你的动态LINQ查询的安全必须是使用占位符所有的用户输入。从不将您的字符串！

想象一下下面的查询：

  dataset.Where（允许== 1和code == \\+ user_entered_data +\\）;
 

如果输入未消毒，而不是逃脱，攻击者可能会输入：

  200或允许== 0和code ==200
 

，这将导致：

 允许== 1和code ==200或允许== 0和code ==200
 

为了避免这种情况，你应该使用占位符：

  dataset.Where（允许== 1和code == @ 0，user_entered_data）;
 

DynamicLinq将使占位符（在此情况下：用户输入的数据）一个lambda参数（而不是将其插入查询），并取决于LINQ到实体（或任何后端）来安全地转换到SQL <。 / p>

Using the Dynamic LINQ library (link), is it vulnerable to injection? and (if so) how can this be protected against?

Some background from Security Considerations (Entity Framework):

LINQ to Entities injection attacks:

Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.

Since Dynamic SQL is composed using strings does that mean that it might be susceptible to injection vectors? Or will LINQ to SQL automatically take care of parametrizing your values based on the underlying datatype within the Dynamic LINQ library?

Or is it entirely safe since the dynamic query will be performed in memory rather than against the SQL (thereby negating any benefits from SQL indexes)?

I have been working through understanding the DynamicLibrary.cs code but I'm sure I could be easily overlooking something.

As this question is about the Dynamic LINQ Library itself, this question can be considered to apply to both linq-to-sql and linq-to-entities (despite above reference to Entity Framework).

解决方案

Well, I do not agree that the injection is not possible in Dynamic Linq.

What described in the answer by Ɖiamond ǤeezeƦ is correct but appies to standard Linq as constructed within the given language - C# or VB.Net or by calling extension methods like .Where with lambda functions.

Then, true, it is not possible to inject anything as the .NET Linq to Sql translator is, of course, decently written. Thus, the "SQL injection" is not possible, that's true.

However, what is possible with Dynamic Linq is "Linq injection" attack. In the explanation for safety of linq quoted by OP, it is stated:

LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.

And basically this is a gist. If queries are composed by string manipulation then it is prone to injection attacks. And Dynamic Linq is actually composed from strings, therefore it is potentially prone to attack by injection.

Obviously, the attacker will have to be aware of the fact that you are using DynamicLinq and could attack only preparing the data so it results in valid malicious Dynamic Linq query.

I want to highlight this fact - the final SQL is composed safely, but whether original dynamic Linq is safe depends on you.

The must to make your dynamic linq query safe is to use placeholders for all user input. Never concatenate your string!

Imagine the following query:

dataset.Where("allowed == 1 and code == \"" + user_entered_data + "\"");

If input is not sanitized and not escaped, the attacker could potentially input:

200" or allowed == 0 and code == "200

which will result in:

allowed == 1 and code == "200" or allowed == 0 and code == "200"

In order to avoid this, you should use placeholders:

dataset.Where("allowed == 1 and code == @0", user_entered_data);

DynamicLinq will make the placeholder (in this case: user-entered data) a lambda argument (instead of concatenating it into query) and depend on Linq-To-Entities (or whatever backend is) to safely convert to SQL.

这篇关于在注射有可能通过动态LINQ？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！